DOCSLIB.ORG

NETS1028 04 Firewalls and Filters

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
NETS1028 04 Firewalls and Filters Security Design Firewalls and Filters System Examination System Configuration Firewalls and Filters Hardening Software Backups and Change Management Access Control and Authentication Virtual Private Networking Logging and Monitoring Security Policy and Management Support SELinux Linux Systems Security NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Firewall • A physical barrier designed to slow or prevent the spread of fire • In computer networks, a mechanism to slow or prevent the passage of network traffic • Several firewall software packages have come and gone over the past 20 years, iptables is ubiquitous for Linux now • Many front-end software packages have been created to manage iptables for you because iptables is considered inscrutable NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 netfilter.org • Netfilter is the home of several packet filtering projects including iptables, which is used in most modern Linux kernels • GPLv2 licensed, open source, in active development since approximately 1999 • Corporate sponsors include Watchguard, LinuxCare Inc., Connectiva, Sophos, and many others NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Stateful vs. Stateless • 1st generation packet filters were stateless network layer filters - each packet was examined on an individual basis and decisions about it were based solely on the contents of that packet • 2nd generation packet filters incorporated connection information and could make stateful decisions as well - SPI • 3rd generation adds application awareness and can make decisions based on unexpected traffic patterns - deep packet inspection NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 NAT • NAT was developed to deal with limited address space in IPV4 • It was quickly recognized that it also provided the function of hiding internal addresses making reconnaissance more difficult for attackers • Many firewalls provide NAT as an added tool for slowing attackers NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Proxies • A proxy is a software device which provides a middleman for connections and can perform additional filtering of traffic • Useful for implementing more complex application-specific rules such as url-based filtering • Email MTAs can perform a proxy function for email • Firewalling external connections from non-proxy hosts can add a layer of protection against internal hosts which have been compromised or have misuse attempted on them NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Tables • iptables uses 5 built-in tables as the basis for managing traffic • The filter table is the default table used to manage traffic • The NAT table is used to perform address modifications in order to provide NAT and is applied to new connections • The mangle table is used to modify packets in specialized ways • The raw table is for intercepting and customizing connection tracking • The security table is for MAC rules, such as from SELinux and takes effect after the filter table rules • Tables contain chains of rules NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Packet flow "Netfilter-packet-flow" by Jengelh - Own work, Origin SVG PNG. Licensed under CC BY-SA 3.0 via Commons - https://commons.wikimedia.org/wiki/ File:Netfilter-packet-flow.svg#/media/File:Netfilter-packet-flow.svg NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Chains • A chain is a sequence of rules • INPUT, OUTPUT, and FORWARD are the built-in chains • INPUT is applied to packets destined for this host from network interfaces • OUTPUT is applied to packets generated by this host • FORWARD is applied to packets not generated by, or destined for, this host • A chain also has a policy, which is what happens to packets not specified in the rules • Create your own chains with iptables -N, delete them with iptables -X NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Chain Policy • Each rule in a chain can specify parameters to identify packets that the rule applies to and an action to take if the packet matches the parameters • If a packet is compared to all the rules and does not match any of them, the policy for the chain is applied to the packet • The default policy after installation is ACCEPT • Other policies available include DROP and REJECT NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Rules • Each rule in a chain can have a number of parameters including a target • Typical parameters might include • chain name interface name protocol (name or number from /etc/protocols) source address name/number/cidr range and/or port name or number from /etc/services destination address name/number/cidr range and/or port name or number from /etc/services jump target • Builtin targets include ACCEPT, DROP, REJECT, LOG • Additional targets can be other chains which allows you to clarify your chains • Extensions can also be targets - see iptables-extensions(8) NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Command • iptables -V to get version info • iptables -L [-v] to get config summary • iptables -S to show rules in iptables command line format • iptables -A to append rules to a chain • iptables -I to insert rules into a chain other than at the end • iptables -F to flush rules from a chain • ip6tables command builds rules for IPV6, or in newest distro releases use the options to specify ipv6 with the iptables command NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Examples iptables -A INPUT -i lo -j ACCEPT ; iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --dport ssh -j LOG --log-prefix "DENIED: " iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --sport 22 -j LOG --log-prefix "DENIED: " iptables -P INPUT DROP iptables -P OUTPUT DROP What common network traffic might break because of this? How would you discover what was broken? NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Extensions • Extensions exist for iptables and add packet matching capabilities using modules as well as new targets to give more options about what to do with matched traffic • -m option can be used to specify a module to process matching traffic • Some modules permit options • Interesting modules: limit, connlimit, conntrack, iprange, multiport, comment • Interesting targets: LOG, REDIRECT, TEE http://ipset.netfilter.org/iptables-extensions.man.html NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptables Persistence • iptables is a memory-based utility • To have the rules take effect at boot, we need to use software that not only installs the rules, but saves those rules for reinstallation at next boot • Most higher level packages that try to automate firewall management save the rules you create • You can install the iptables-persistent package and save your rules to /etc/iptables/rules.v{46} using ip[6]tables-save • You can use one or more of several packages intended to manage an iptables configuration NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Common Attack Handling • Drop or limit pings from all non-local hosts, limiting icmp rates across the board can help against smurfs • Drop packets sourced from private netblocks which you aren’t using yourself • Drop malformed packets using --tcp-flags, port scans often use these • Configure appropriate kernel tuning parameters to increase resilience to attacks • Modern Linux kernel is quite robust in major distros, most attacks are on services so block or limit them and use whatever config options are available to you in those services NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 iptstate • top-style tool for observing connection states • Requires at least one rule that uses conntrack or state extension in order to provide state capture • help screen available with h key, shows current sort and display settings NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 UFW • Uncomplicated Firewall • A command line utility to simplify firewall management • Uses pre-configured rulesets for common configurations, with catch-all rules in /etc/ufw • It is a front end to the iptables command, but conflicts are probable if you use both to set up your firewall - instead use the pre and post rules files in ufw to set up custom rulesets • Provides enable/disable and configuration save • gufw is a graphical frontend to ufw https://help.ubuntu.com/lts/serverguide/firewall.html https://help.ubuntu.com/community/Gufw NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 ipkungfu • Another frontend to iptables (there are many, e.g. https://taufanlubis.wordpress.com/ 2007/09/23/need-proctection-for-your-ubuntu/) • Uses a relatively friendly configuration file and supports automatic config at boot • Groups many rule ideas into simpler concepts and makes them options in config files • Designed and intended for use on a router, but with configuration changes can be used on any machine https://help.ubuntu.com/community/firewall/ipkungfu NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 fail2ban • fail2ban is a package that can scan log files looking for repeated login failures and then block the source hosts using iptables • It does not require chain DROP policy, so if you don’t have a deny policy, it will still work • fail2ban knows many common log file formats such as ssh, web servers, email servers, ftp, and many applications that sit on top of those services • see /etc/fail2ban/filter.d for the logs it knows, /var/log/fail2ban.log to see what it has been doing when running • copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify to enable or configure jails • fail2ban.org, 2014 PyCon video: https://www.youtube.com/watch?v=xcXheAWy7cU#t=190 NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Additional Filtering • Proxy servers (email, web, etc.) can be set up • Use iptables to prevent connections for proxied services that try to bypass the proxies • Proxies can do application-level filtering NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021.
Load more

Recommended publications
  • Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments
    IoT4CPS – Trustworthy IoT for CPS FFG - ICT of the Future Project No. 863129 Deliverable D7.4 Test-beds and guidelines for securing IoT products and for secure set-up production environments The IoT4CPS Consortium: AIT – Austrian Institute of Technology GmbH AVL – AVL List GmbH DUK – Donau-Universit t Krems I!AT – In"neon Technologies Austria AG #KU – JK Universit t Lin$ / Institute for &ervasive 'om(uting #) – Joanneum )esearch !orschungsgesellschaft mbH *+KIA – No,ia -olutions an. Net/or,s 0sterreich GmbH *1& – *1& -emicon.uctors Austria GmbH -2A – -2A )esearch GmbH -)!G – -al$burg )esearch !orschungsgesellschaft -''H – -oft/are 'om(etence 'enter Hagenberg GmbH -AG0 – -iemens AG 0sterreich TTTech – TTTech 'om(utertechni, AG IAIK – TU Gra$ / Institute for A((lie. Information &rocessing an. 'ommunications ITI – TU Gra$ / Institute for Technical Informatics TU3 – TU 3ien / Institute of 'om(uter 4ngineering 1*4T – 1-Net -ervices GmbH © Copyright 2020, the Members of the IoT4CPS Consortium !or more information on this .ocument or the IoT5'&- (ro6ect, (lease contact8 9ario Drobics7 AIT Austrian Institute of Technology7 mario:.robics@ait:ac:at IoT4C&- – <=>?@A Test-be.s an. guidelines for securing IoT (ro.ucts an. for secure set-up (ro.uction environments Dissemination level8 &U2LI' Document Control Title8 Test-be.s an. gui.elines for securing IoT (ro.ucts an. for secure set-u( (ro.uction environments Ty(e8 &ublic 4.itorBsC8 Katharina Kloiber 4-mail8 ,,;D-net:at AuthorBsC8 Katharina Kloiber, Ni,olaus DEr,, -ilvio -tern )evie/erBsC8 -te(hanie von )E.en, Violeta Dam6anovic, Leo Ha((-2otler Doc ID8 DF:5 Amendment History Version Date Author Description/Comments VG:? ?>:G?:@G@G -ilvio -tern Technology Analysis VG:@ ?G:G>:@G@G -ilvio -tern &ossible )esearch !iel.s for the -2I--ystem VG:> >?:G<:@G@G Katharina Kloiber Initial version (re(are.
    [Show full text]
  • Computer Security Administration
    Information Security Group Information + Technology Services University of Toronto Endpoint Security Policy System A Network Access Control System with Vulnerability Detection and User Remediation Evgueni Martynov UNIX Systems Group Mike Wiseman Computer Security Administration Endpoint Security Policy System Table of Contents Acknowledgements............................................................................. 3 Change History .................................................................................... 4 Summary ............................................................................................. 5 Overview .............................................................................................. 5 Network Isolation ............................................................................... 6 Vulnerability Detection ....................................................................... 6 User Remediation ................................................................................ 8 Administering ESP ............................................................................... 8 ESP Operations Experience ................................................................ 9 Appendix I – Installation and Configuration of ESP server ........... 10 Using init.sh ..................................................................................... 10 Post-Installation ................................................................................ 11 Configuring an ESP Server to Work with an ESP Agent .......................
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • Lecture 11 Firewalls
    BSc in Telecommunications Engineering TEL3214 Computer Communication Networks Lecture 11 Firewalls Eng Diarmuid O'Briain, CEng, CISSP 11-2 TEL3214 - Computer Communication Networks Copyright © 2017 Diarmuid Ó Briain Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back- Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". TEL3214 Firewalls 09 May 2017 TEL3214 - Computer Communication Networks 11-3 Table of Contents 1. AN INTRODUCTION TO FIREWALLS........................................................................................................................5 2. THE DIGITAL SECURITY PROBLEM...........................................................................................................................5 2.1 HOME......................................................................................................................................................................5 2.2 ENTERPRISE...............................................................................................................................................................6 2.3 ROAMING INDIVIDUAL.................................................................................................................................................6 2.4 PERIMETER DEFENCE AND FIREWALLS.............................................................................................................................6
    [Show full text]
  • Getting Started with Ubuntu 12.04
    Getting Started withUbuntu 12.04 Second Edition The Ubuntu Manual Team Copyright © – by e Ubuntu Manual Team. Some rights reserved. cba is work is licensed under the Creative Commons Aribution–Share Alike . License. To view a copy of this license, see Appendix A, visit http://creativecommons.org/licenses/by-sa/./, or send a leer to Creative Commons, Second Street, Suite , San Francisco, California, , USA. Geing Started with Ubuntu . can be downloaded for free from http:// ubuntu-manual.org/ or purchased from http://ubuntu-manual.org/buy/ gswue/en_US. A printed copy of this book can be ordered for the price of printing and delivery. We permit and even encourage you to dis- tribute a copy of this book to colleagues, friends, family, and anyone else who might be interested. http://ubuntu-manual.org Second Edition Revision number: Revision date: -- :: + Contents Prologue Welcome Ubuntu Philosophy A brief history of Ubuntu Is Ubuntu right for you? Contact details About the team Conventions used in this book Installation Geing Ubuntu Trying out Ubuntu Installing Ubuntu—Geing started Finishing Installation Ubuntu installer for Windows e Ubuntu Desktop Understanding the Ubuntu desktop Unity Using Launcher e Dash Workspaces Managing windows Browsing files on your computer Nautilus file manager Searching for files and folders on your computer Customizing your desktop Accessibility Session options Geing help Working with Ubuntu All the applications you need Geing online Browsing the web Reading and composing email Using instant messaging Microblogging Viewing and editing photos Watching videos and movies Listening to audio and music Burning CDs and DVDs Working with documents, spreadsheets, and presentations Ubuntu One Hardware Using your devices Hardware identification .
    [Show full text]
  • Step-By-Step Guide to Linux Security for Beginners
    Step-by-step guide to Linux security for beginners Clément Levallois 2017-04-03 Table of Contents Ordering the server . 1 Get the latest versions of all packages . 1 Harden the kernel . 2 Forward root mail . 2 Change the SSH port. 2 Creating a user and disabling logging for root . 3 1. Installing the sudo command: 3 2. Adding a new user (let’s call it "myUser") 4 3. Enabling server connections via myUser 4 4. Disabling connection through root 4 Disabling password authentication, enabling SSH. 4 How to generate a SSH key? 5 How to disable password auth and enable SSH? 5 Setting up a firewall. 6 ip tables 6 better: uncomplicated firewall 7 Use anti-intrusion defenses and audit systems . 7 Psad 7 fail2ban 8 Lynis 8 the end. 9 last modified: 2018-10-01 Ordering the server • Server ordered on Hetzner.de (based in Germany, dirt cheap, but without management.) • Remember to install the Linux version not from the rescue system in the console but from https://robot.your-server.de/server/index in the "Linux" tab. (installing from the rescue system provided with the bare server causes a ssh key mess) • I use Debian, version 8.7 (why?) • Vi is used as a text editor in the following • we are logged as root first Get the latest versions of all packages Do: apt-get update && sudo apt-get upgrade Because: apt-get update → refreshes the repositories and fetches information about packages that are available online. apt-get upgrade → downloads and installs updates for all installed packages - as long as it doesn’t bother dependencies (install new packages, remove old ones or crosses a repo source (switch a package from one repo to another)).
    [Show full text]
  • Ubuntu: Unleashed 2017 Edition
    Matthew Helmke with Andrew Hudson and Paul Hudson Ubuntu UNLEASHED 2017 Edition 800 East 96th Street, Indianapolis, Indiana 46240 USA Ubuntu Unleashed 2017 Edition Editor-in-Chief Copyright © 2017 by Pearson Education, Inc. Mark Taub All rights reserved. Printed in the United States of America. This publication is protected Acquisitions Editor by copyright, and permission must be obtained from the publisher prior to any prohib- Debra Williams ited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information Cauley regarding permissions, request forms and the appropriate contacts within the Pearson Managing Editor Education Global Rights & Permissions Department, please visit www.pearsoned.com/ permissions/. Sandra Schroeder Many of the designations used by manufacturers and sellers to distinguish their Project Editor products are claimed as trademarks. Where those designations appear in this book, and Lori Lyons the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. Production Manager The author and publisher have taken care in the preparation of this book, but make Dhayanidhi no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in Proofreader connection with or arising out of the use of the information or programs contained Sasirekha herein. Technical Editor For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content José Antonio Rey particular to your business, training goals, marketing focus, or branding interests), Editorial Assistant please contact our corporate sales department at [email protected] or (800) 382-3419.
    [Show full text]
  • Ubuntu Server Guide Basic Installation Preparing to Install
    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
    [Show full text]
  • Ubuntu Server Guide Ubuntu Server Guide Copyright © 2010 Canonical Ltd
    Ubuntu Server Guide Ubuntu Server Guide Copyright © 2010 Canonical Ltd. and members of the Ubuntu Documentation Project3 Abstract Welcome to the Ubuntu Server Guide! It contains information on how to install and configure various server applications on your Ubuntu system to fit your needs. It is a step-by-step, task-oriented guide for configuring and customizing your system. Credits and License This document is maintained by the Ubuntu documentation team (https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors, see the contributors page1 This document is made available under the Creative Commons ShareAlike 2.5 License (CC-BY-SA). You are free to modify, extend, and improve the Ubuntu documentation source code under the terms of this license. All derivative works must be released under this license. This documentation is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER. A copy of the license is available here: Creative Commons ShareAlike License2. 3 https://launchpad.net/~ubuntu-core-doc 1 ../../libs/C/contributors.xml 2 /usr/share/ubuntu-docs/libs/C/ccbysa.xml Table of Contents 1. Introduction ........................................................................................................................... 1 1. Support .......................................................................................................................... 2 2. Installation ............................................................................................................................
    [Show full text]
  • Comodo Korugan UTM Security Target Lite
    Comodo Yazılım A.Ş. Tasnif Dışı/Unclassified Comodo Korugan UTM Security Target Lite Comodo Yazılım A.Ş. Comodo Korugan UTM 1.10 Security Target Lite COMODO YAZILIM A.Ş. The copyright and design right in this document are vested in Comodo Yazılım A.Ş. and the document is supplied to you for a limited purpose and only in connection with this project. No information as to the contents or the subject matter of this document or any part thereof shall be communicated in any manner to any third party without the prior consent in writing of Comodo Yazılım A.Ş. Copyright © Comodo Yazılım A.Ş., 2014-2017 Comodo Yazılım A.Ş. 1 / 48 Author: Onur Özardıç Comodo Yazılım A.Ş. Tasnif Dışı/Unclassified Comodo Korugan UTM Security Target Lite List of Tables Table 1 ST and TOE References ........................................................................................ 6 Table 2 Functional features of TOE ..................................................................................... 8 Table 3 Major Security Features of TOE ............................................................................. 8 Table 4 Assets using TOE resources .................................................................................15 Table 5 Threats addressed by TOE only ............................................................................16 Table 6 Threats met by TOE and TOE Security Environment ............................................16 Table 7 Threats Addressed by TOE Security Environment .................................................16 Table
    [Show full text]
  • How to Cheat at Configuring Open Source Security Tools
    436_XSS_FM.qxd 4/20/07 1:18 PM Page ii 441_HTC_OS_FM.qxd 4/12/07 1:32 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate- rials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value- added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • The Book of PF Covers the Most • Stay in Control of Your Traffic with Monitoring and Up-To-Date Developments in PF, Including New Content PETER N.M
    EDITION3RD BUILD A Covers OpenBSD 5.6, MORE SECURE FreeBSD 10.x, and NETWORK EDITION NETWORK 3RD NetBSD 6.x WITH PF THETHE BOOKBOOK THE BOOK OF PF OF THE BOOK THE BOOK OF PF OF THE BOOK OFOF PFPF OpenBSD’s stateful packet filter, PF, is the heart of • Build adaptive firewalls to proactively defend against A GUIDE TO THE the OpenBSD firewall. With more and more services attackers and spammers NO-NONSENSE placing high demands on bandwidth and an increas- OPENBSD FIREWALL • Harness OpenBSD’s latest traffic-shaping system ingly hostile Internet environment, no sysadmin can to keep your network responsive, and convert your afford to be without PF expertise. existing ALTQ configurations to the new system The third edition of The Book of PF covers the most • Stay in control of your traffic with monitoring and up-to-date developments in PF, including new content PETER N.M. HANSTEEN visualization tools (including NetFlow) on IPv6, dual stack configurations, the “queues and priorities” traffic-shaping system, NAT and redirection, The Book of PF is the essential guide to building a secure wireless networking, spam fighting, failover provision- network with PF. With a little effort and this book, you’ll ing, logging, and more. be well prepared to unlock PF’s full potential. You’ll also learn how to: ABOUT THE AUTHOR • Create rule sets for all kinds of network traffic, whether Peter N.M. Hansteen is a consultant, writer, and crossing a simple LAN, hiding behind NAT, traversing sysadmin based in Bergen, Norway. A longtime DMZs, or spanning bridges or wider networks Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional • Set up wireless networks with access points, and contributor to BSD Magazine, and the author of an lock them down using authpf and special access often-slashdotted blog (http://bsdly.blogspot.com/ ).
    [Show full text]